Trouble Passing through to the Server

Unanswered Question
May 7th, 2010


I just installed a VPN client version on my new Windows 7 Professional Laptop.  Our server is a Windows Small Business Server 2003 with a PIx 501 firewall.  I got a connection but could not get into the server.  I set the VPN client the same way as I did with a previous version of the Cisco VPN client that was on a Windows XP Pro laptop.

Any suggestions??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (9 ratings)
Federico Coto F... Fri, 05/07/2010 - 13:09


If your computer is currently behind a PAT device, you need to check that the client has NAT-T enabled.

Check this by going to the VPN client and under the transport tab, nat-transparency enabled.

Also, some ISPs might block ESP.

Try to PING the inside IP of the PIX.

Also, the server has a default gateway pointing to the PIX?


wjacobs77 Fri, 05/07/2010 - 13:20

Hi Frederico,

I set it as UDP.  My home location uses a wireless access to our ISP and it worked under the previous version.  See attachment.

Thanks for the response.


wjacobs77 Fri, 05/07/2010 - 13:25

I checked the Transport tab and I do have it enabled.  I am

a novice.

Federico Coto F... Fri, 05/07/2010 - 13:28


Nothing else has changed like IP addresses?
Do you have access to the PIX 501?

Anyway, if it worked from your home previously, it should work now with this version.
You say the tunnel establishes, but cannot reach the server.

Check the following:
When the VPN client is connected, right click on the yellow closed lock and choose statistics.
Check that the transport says Active on UDP port 4500
Check that the packets are being encrypted/decrypted
Do you see the server's network under the ''route details'' tab?


wjacobs77 Fri, 05/07/2010 - 13:39


Here is what I saw:

Transport is Active on UDP port 4500

Encrypted = 270

Decrypted = 4

Discarded = 23

Nothing shows under Route Details.


Federico Coto F... Fri, 05/07/2010 - 13:43


Packets are sent and received through the tunnel (that's good).

Please check again under route details under the Secured Routes portion, you should have at least 1 network or a bunch of zeros.


Federico Coto F... Fri, 05/07/2010 - 14:18


You don't have access to the PIX-501?

From the client, what we can do is check the logs (make sure the logs are enabled and the severity up to 3-High on all categories and send the text file when attempting the connection).

Since the tunnel establishes and the problem is just passing traffic through the tunnel, the normal reasons for this are:

ESP being blocked

NAT-T not enabled --> we have verified this is not the case

Changes in IPs

Do you know what is the IP address of the PIX-501 to see if you can PING it from your VPN client?


wjacobs77 Fri, 05/07/2010 - 14:53


I do not know what the IP Address is to the Pix unit.  The IP address to the server I do know.

Is there a way that I can find out without being at the Pix location??


wjacobs77 Fri, 05/07/2010 - 15:13


So I used the same one as the previous client that worked and it is correct.  That's odd.


Federico Coto F... Fri, 05/07/2010 - 15:17

The thing is that if nothing has really changed (besides the version of the VPN client software), you should be able connect to the server.

We know that the VPN client is sending the packets through the tunnel (and its receiving some).

But we're not sure if the communication is reaching the server.

Honestly, I believe something must have changed, but without having access to the PIX we don't know.

We can look at the logs from the client...


wjacobs77 Fri, 05/07/2010 - 15:14

I just pinged the IP address that is being used by the client and it worked.

Federico Coto F... Fri, 05/07/2010 - 16:12


What do you mean with this:

I just pinged the IP address that is being used by the client and it worked.


wjacobs77 Fri, 05/07/2010 - 16:22

Ok.  The vpn set-up requires a Host, right??  So I used this address using the ping command and it worked.  Is that not right??

Federico Coto F... Sat, 05/08/2010 - 14:02

Ok Wes,

After all the troubleshooting could you please give me the status of where are we right now?

Still not communicating with the server?


wjacobs77 Mon, 05/10/2010 - 13:05


After all of our discussions I could not get into the server.  I am currently at the work location and can access any information

that I could not when I was offsite.

I had a Laptop with XP Pro and a Cisco VPN client.  I got a new laptop running Windows 7 Pro.  So I downloaded a 64-bit Cisco CLient for Windows 7.  Set it up the same way and even showed that I got a connection.  But on the server side there were just zeros.  So evidently did not get through.

We have a Pix 501 unit.  What information do I need and how can I configure from the work side so that I can properly test it offsite??



Federico Coto F... Mon, 05/10/2010 - 13:20


Do the following:

Get a ''sh run'' from the PIX and we can configure it later to make it work.

We will need to know the network information of the PIX (IP address, mask, default gateway,etc)


wjacobs77 Wed, 05/12/2010 - 09:41


I got the "sho run" information:

name  VPN Connections

permit ip any VPN Connections

access-list 101 permit icmp any any echo-reply

access-list permit tcp any host eq smtp

access-list permit tcp any host eq https

logging host inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip local pool vpn_pool

anything else we need?



wjacobs77 Thu, 05/13/2010 - 16:18


Have you been able to review sh run?  I have no idea as to why this is not working.  I uninstalled the client, reinstalled it with the same results.

Let me know what you think.


Federico Coto F... Thu, 05/13/2010 - 16:24


Add this command:
management-access inside

Also add this command:
sysopt connection permit-vpn
Then, check if you can PING from the VPN client.

What is the IP of the server? 192.168.1.x?
Check that the default gateway of the server is


wjacobs77 Thu, 05/13/2010 - 16:47


Do I make the entry at the Pix unit or from the client?  If from the client do I do this from a DOS prompt?

Thanks so much for your help.  The server IP Address is


wjacobs77 Fri, 05/14/2010 - 04:16


I opened the Pix Manager and entered the first command and it seemed to accept this.  I attempted the second command and it failed.  So what is next??


Federico Coto F... Fri, 05/14/2010 - 06:52


If it took the command: management-access inside

Make sure that you can PING from the VPN client when connected.


Daniel Voicu Fri, 05/14/2010 - 08:39

Hi Jacobs,

sometime the problem is related to the MTU. There is a "SetMTU" utility in the same folder with the vpn client exec file (i think it is also in the VPN client start menu). Setup the valut 1300 for all connections, reboot and then try the access again.



This Discussion